Bank of America Employee Charged With Planting Malware on ATMs

Share

Bank of America Employee Charged With Planting Malware on ATMs

A Bank of America worker installed malicious software on his employer's ATMs that allowed him to make thousands of dollars in fraudulent withdrawals, all without leaving a transaction record, according to federal prosecutors.

Rodney Reed Caverly, 53, was a member of the bank's IT staff when he installed the malware. The Charlotte, North Carolina, man made fraudulent withdrawals over a seven-month period ending in October 2009, according to prosecutors, who've charged him with one count of computer fraud.

The government wouldn't say how much money Caverly stole; the charging document (.pdf), filed April 1, states only that his payoff surpassed the statutory minimum of $5,000.

Caverly, reached by phone, told Threat Level he had no comment, and hung up. According to court records, he has entered into a plea agreement with prosecutors and is set to appear in court on April 13.

"I am absolutely, completely shocked. It doesn't sound like something he would do. This is just absolutely crazy."Caverly was formerly the founder and CEO of Sovidian, LLC, a North Carolina-based software development company established in 1999. The company merged in April 2003 with Data On CD, a document management and archiving firm. According to a news release on Sovidian's website announcing the merger, the company has provided "tailored software and software integration solutions for the finance industry for over 10 years," and counted Bank of America and two other major financial institutions as customers.

"Our customers range from large service bureaus (IBM, EDS and M&I Data); to multibillion dollar banks (Bank of America, First Union and Bank of Nova Scotia, Canada); to local community banks," Caverly is quoted as saying in the release. "Banks are very individualistic. Each situation and operating environment is completely different. There are no off-the-shelf solutions especially for integrating new and old technologies and applications. We specialize in making applications talk to each other and integrating peripherals into existing software environments."

Tom Chase, general manager for Sovidian, told Threat Level that the company hasn't had any banking or finance customers since 2004, and that Caverly hasn't worked there for years. Though he's still a major investor in the business, he has "very little involvement" with it now, said Chase.

"I am absolutely, completely shocked [by the charges]," Chase said. "It doesn't sound like something he would do. This is just absolutely crazy."

Caverly took the job with Bank of America some time around 2007, said Chase.

The charges were filed the same day that credit card company Visa warned the banking industry that Eastern European ATM malware recently showed up in America for the first time.

That code, initially spotted last year on some 20 ATMs in Russia and Ukraine, was designed primarily to capture PINs and bank card magstripe data, but also allowed thieves to instruct the machine to eject whatever cash was still in it. At the time, security firm Trustwave warned that the malware was likely headed for ATMs in the United States.

At least 16 versions of the East European malware have been found so far and were designed to attack ATMs made by Diebold and NCR, according to the April 1 Visa alert.

There is no information tying the malware found in Russia with the malware allegedly used by Caverly. Bank of America did not immediately respond to a call for comment about the case, but told the Associated Press that the bank discovered the thefts internally. Caverly's attorney did not return a call.

Nick Percoco, vice president and head of Trustwave’s SpiderLabs Incident Response Team, said the malware does sound like it could be the malware found in East Europe or a version of it.

"[Caverly] could have obtained a copy of that and modified it for his own use," he told Threat Level. "But the ability to dispense cash without recording activity – that was definitely a feature of the East European malware."